Volume 2, Issue 1 ISSN - 2218-6638 International Journal for Advances in Computer Science March 2011 © IJACS 2010 - All rights reserved 21 The remainder of this paper is organized as follows: Section 2 discusses related inventions and innovations. Section 3 introduces the proposed scheme in which we also discuss the guidelines of building the virtual environment and its possible applications. Section 4 discusses the security analysis including possible attacks and countermeasures. Section 5 presents the experimental conditions. Finally, in Section 6, we conclude and discuss the future work.

2. Related inventions and innovations

Graphical passwords which were introduced by Blonder, brought a new revolution in authentication systems [11] [12] [13]. It consists of both recall and recognition methodologies e.g. Pass-faces, pass-point, DAS etc., Though the graphical passwords could produce a longer password size it suffered from the shoulder surfing attack. The pass-faces is a recognition type of method which consists of selecting an image by a user from a set of images projected on the screen. For this authentication system to work, initially the users need to specify a set of graphical images of his choice to the authentication system through a secure channel. The pass-point method is a recall method where the user needs to select different points on a picture that resembles his password [14]. The DAS Draw a sketch method also falls in this category where the user needs to draw his login sketch on a grid 5x5, 10x10 or 25x25. The login involves in identifying the lines that pass through the different grids present on the screen. Biometrics authentication system even though became popular with a short start still people are afraid of using it as it involves in recording the user’s physical aspects posing a threat to his privacy. In addition, some users resist the idea of a low intensity infrared light or any other kind of light directed at their eyes, such as in retina recognition systems. Moreover, biometrics cannot be revoked, which leads to a dilemma in case the user’s data have been forged. Unlike other authentication schemes where the user can alter his password at times of threat to privacy [15] [16], a user’s biometrics cannot be revoked. Many authentication systems are based on tangible objects and are referred to as token-based systems. Many token- based systems are vulnerable to theft and loss [1] [5]; therefore, most token-based systems require a personal identification number followed by a textual password for authentication e.g. a debit or a credit card. Our schema involves the efficient utilization of all the mechanisms above discussed and it is small in size and an optimal solution.

3. The proposed scheme

This scheme is proposed keeping in mind the requirement to overcome the disadvantages of all the previous schemes and is outlined as follows: i. The system should be in smaller size. As the utilization of the users on the Internet is higher, the requirement of the scheme also increases. ii. The newly proposed scheme should be easy to use. iii. It should produce a higher password size compared to the previous schemes. iv. Password provided by the scheme should be easy to remember. v. It should consist of passwords that are not easy to be written down. vi. Users should have the freedom of selecting their passwords [14]. vii. The newly proposed system should provide a method for changing passwords. Hence, keeping in mind all the above requirements the proposed system was designed.

A. The proposed system

The system consists of merging different authentication schemes together. The system presents a simple virtual environment containing various items. The user goes through this environment and changes the state of the items [10]. The system simply combines the sequence of user interactions that occur in the virtual environment which is depicted in Figure 1. The system can combine recognition-, recall-, token-, and biometrics-based systems into one authentication scheme. This can be done by designing a virtual environment that contains items that request information to be recalled, information to be recognized, tokens to be presented, and biometrical data to be verified. For example, the user can change the state of a window or a door in the virtual environment by simply clicking over it, later switch on a light bulb and finally click on login. The combination and the sequence of the previous actions construct the user’s password action sequence recorded by a background invisible process as in Figure 1. Items can be any object that we encounter in real life. Any obvious state changes and interactions toward the real-life objects can be done in the virtual environment toward the items which, may include: i. Openingclosing windows or doors. ii. Typing a textual password on a virtual keyboard. iii. Switching onoff the lights. iv. Performing biometrics by selecting a virtual item in the environment. v. Identifying a graphical password. vi. Providing a token for identification e.g. RF-ID on selecting an item. vii. Writing on a paper present in the virtual environment. viii. Moving an item. Volume 2, Issue 1 ISSN - 2218-6638 International Journal for Advances in Computer Science March 2011 © IJACS 2010 - All rights reserved 22 ix. Any other authentication scheme which is to be developed in the future. The state change performed on an item differs from that of a different item hence, preserving the unique changes made at an item for later recognition process of the authentication system. Therefore, to generate the legitimate password, the user must follow the same scenario performed by him initially. This means changing state of the same items and performing the exact actions in a proper sequence.

B. Password selection and inputs